The Bromium InfoSec Challenge

We think it’s time security vendors are held accountable for their promises: Ditch marketing hyperbole in favor of defensible design and rigorous evaluation. We want to draw a bright line between technologies – like Bromium – that make endpoints more secure through careful design and rigorous testing, and “maybe” technologies – like next-gen AV – that can only be evaluated with yesterday’s attacks – when 99% of today’s malware morphs into new, undetectable variants in under a minute.

In this spirit we challenged attendees of InfoSec Europe last week to bring their own worst malware to the show. If it could bypass Bromium isolation and compromise an endpoint, they’d win £10K. No other security vendor would dare to expose itself like this, because they just don’t know if their products work. They may not even detect known bad. Bromium defeated every attack offered at InfoSec, including crypto-malware, the Black Energy attack on the Ukranian power grid, and malware hand-crafted by legacy endpoint security competitors. Perhaps as importantly, we delivered detailed forensics for each attack – even those that were unknown to Virus Total – on the show floor.

Defensible design substantially increases the cost to the attacker. It does not mean “perfect”. When we launched the challenge I said: “I want to be clear that we don’t think our product is unbelievable or even unbreakable. It’s just damn good.” All this is simply an effort to better protect our enterprise customers and their IP. But you don’t need to believe me. We welcome independent scrutiny and validation. In each of the past 5 years we have given our product and source code to many of the world’s best pen-testing organizations to validate.

The InfoSec Challenge was also a first step toward engaging with the white hat security community. Last week we also benefited from the rigorous testing of one of the world’s best, Tavis Ormandy of Google, who found a legitimate bug in our product. We are grateful, and are working with Tavis to ensure that he confirms that we’ve fixed it. As a result our product is better than it was before.

Why Bromium is Different

AV tries to protect each endpoint by detecting an attack. It tries (and often fails) to detect and protect each endpoint independently of all other endpoints, based on signatures from the vendor. This model is dead. Detection will fail at some point, giving an attacker the foothold he needs. More importantly, compromising a single endpoint is just a step on the path to an enterprise breach. Bromium Advanced Endpoint Security (AES) is different. It is an enterprise protection platform. Bromium AES:

Reduces the attack surface of each endpoint; and

Continuously monitors and correlates execution activity across all endpoints to reduce the enterprise attack surface.

Assuming that there will always be application and OS vulnerabilities, Bromium AES always increases the cost to the attacker by massivelyreducing the attack surface of each endpoint. We do this by:

Hardware isolating user- and kernel-mode execution of each untrusted application task – in a micro-VM

Ensuring that high-value information (IDs, credentials, networks, sites and files) is not available in a micro-VM

Enabling persisted untrusted files to be safely accessed in isolation, in a micro-VM

Discarding each micro-VM when the user closes the task, eliminating persistence and unwanted side-effects

Continually monitoring each micro-VM and the host OS for signs of a breach, from the tamper-proof perspective of the Microvisor.

All with few or no changes to the user experience.

More importantly, it is time to move beyond a model where we bet the security of the enterprise on the security of a single endpoint. Instead we need to embrace a system in which endpoints collaborate to enhance enterprise-wide protection, detection and response. Even if a single endpoint is compromised, the system will detect the breach and automate a response, reducing the enterprise attack surface:

Protection is not based on detection. It’s always there. And when an endpoint identifies malicious or suspicious activity in a micro-VM or the desktop host, it shares this information in real time with the Bromium Enterprise Controller (BEC), which correlates execution activity across all endpoints to accelerate response.